Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-j2x6-9323-fp7h

GitHub Security Advisory

Integer bounds error in Vyper

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
in the following code, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. as of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions.
```vyper
interface iface:
def returns_int128() -> int128: view
def returns_Bytes33() -> Bytes[33]: view

x: iface

@external
def call_out():
x: int128 = self.x.returns_int128() # affected, <0.3.0
y: uint256 = convert(self.x.returns_int128(), uint256) # affected, <0.3.2
z: Bytes[33] = concat(self.x.returns_Bytes33(), b"") # affected >= 0.3.0, <0.3.2
```

### Patches
0.3.2 (as of https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b)

### Workarounds
Break up operations involving external calls into multiple statements. For instance, instead of the example above, use
```
x: int128 = self.x.returns_int128()
y: uint256 = convert(x, uint256)
```

Affected Packages

PyPI vyper
Affected versions: 0 (fixed in 0.3.2)

Related CVEs

CVE-2022-24845

Key Information

GHSA ID
GHSA-j2x6-9323-fp7h
Published
April 22, 2022 8:24 PM
Last Modified
April 22, 2022 8:24 PM
CVSS Score
7.5 /10
Primary Ecosystem
PyPI
Primary Package
vyper
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.